General
-
Target
1bb15614749e6ce0d1dd96888050ba31_JaffaCakes118
-
Size
436KB
-
Sample
240701-r3da3s1bmq
-
MD5
1bb15614749e6ce0d1dd96888050ba31
-
SHA1
5738b5ff152cebb76510c4b896a1a9f6f477971f
-
SHA256
640fc0e69e50cf92cff3f938f81fff3f95b0ea12a898a39ea36afccba12ec3c0
-
SHA512
01c4b9f5db804989c192151e8158c018e25a99197b1deb84165b4aec5599cc462ee9a642bb6d43da22787d698add09027c001650d3fdb2bf74bcc936e2d6bd32
-
SSDEEP
6144:ykTP4yPihJJfbluI7SDyzF9H+rEvooXMJuaa7RCoXJOhYNHZXVh6PF62N4p8bp:8JJfxSDyzFoYQOMJuaatCoDkk2N4K
Static task
static1
Behavioral task
behavioral1
Sample
1bb15614749e6ce0d1dd96888050ba31_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
cybergate
v1.07.5
MM-1204
finders.hopto.org:426
EL7F5178DOQ43F
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Google Update
-
install_file
taskmgr.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Error - Application not supported on this operating system
-
message_box_title
Model Placement Application
-
password
knarf0909
-
regkey_hkcu
Google Update
-
regkey_hklm
Google Update
Targets
-
-
Target
1bb15614749e6ce0d1dd96888050ba31_JaffaCakes118
-
Size
436KB
-
MD5
1bb15614749e6ce0d1dd96888050ba31
-
SHA1
5738b5ff152cebb76510c4b896a1a9f6f477971f
-
SHA256
640fc0e69e50cf92cff3f938f81fff3f95b0ea12a898a39ea36afccba12ec3c0
-
SHA512
01c4b9f5db804989c192151e8158c018e25a99197b1deb84165b4aec5599cc462ee9a642bb6d43da22787d698add09027c001650d3fdb2bf74bcc936e2d6bd32
-
SSDEEP
6144:ykTP4yPihJJfbluI7SDyzF9H+rEvooXMJuaa7RCoXJOhYNHZXVh6PF62N4p8bp:8JJfxSDyzFoYQOMJuaatCoDkk2N4K
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-